I am looking at rclone-master directory downloaded from GitHub
The whole directory contains 450k lines of code, which is HUGE.
I suspect most of this is for parts not related to encryption. To determine the attack surface and security level of of the crypt backend, I looked at directory backend/crypt which contains 3.8k lines of code, which is more reasonable compared to 450k LoC.
However, it’s hard to find total number of lines of code involved with encrypting a repository using rclone, due to dependencies between various parts, and the fact that Go crypto libraries providing SecretBox and AES (for file names) should be counted as well.
Could rclone’s developers chime in about the attack surface and security of the encrypting data with rclone?
Is encryption part separated from the rest of the 450k LoC source mess?
How does rclone crypt security compare to that of alternatives such as Cryptomator (which is 40k LoC, 10X less than rclone size, but whose encryption part has also around 4K)?
Has rclone been audited (it’s a giant project and expensive to audit with 450k LoC)